On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> After enabling the unconfined module and after reboot also, Still
> showing the same id context.
>
> Is there any way to make the id context to normal state again ?
Hmmm...try resetting all booleans too? semanage boolean
Wed, Nov 29, 2017 at 9:50 PM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Wed, 2017-11-29 at 21:39 +0530, Aman Sharma wrote:
> > > Hi Stephen,
> > >
> > > After enabling the unconfined module and after reboot also, Still
> > > showing t
On Mon, 2017-12-04 at 17:39 +0100, Dmitry Vyukov wrote:
> On Mon, Dec 4, 2017 at 2:59 PM, Paul Moore wrote:
> > > > > On 2017/12/02 3:52, syzbot wrote:
> > > > > > ===
> > > > > > ===
> > > > > > BUG: KASAN:
On Fri, 2017-12-01 at 10:34 -0500, Paul Moore wrote:
> On Thu, Nov 30, 2017 at 6:44 PM, William Roberts
> wrote:
> > On Thu, Nov 30, 2017 at 8:52 AM, Paul Moore
> > wrote:
> > > From: Paul Moore
> > >
> > > The syzbot/syzkaller
.c1023*
> > > >
> > > > *And semanage login -l is showing blank output. *
> > > >
> > > > *Do you have any idea about this.*
> > > >
> > > > *Thanks*
> > > > *Aman*
> > >
> > > Try the sam
On Thu, 2017-12-14 at 03:19 +, yangjihong wrote:
> Hello,
>
> > So, does docker just keep allocating a unique category set for
> > every new container, never reusing them even if the container is
> > destroyed?
> > That would be a bug in docker IMHO. Or are you creating an
> > unbounded
On Thu, 2017-12-14 at 12:48 +0530, Aman Sharma wrote:
> Hi All,
>
> Below is the output of semanage USer command output for sftpuser:
>
> specialuser_u user s0 s0
> sysadm_r system_r
>
> and for command semanage login -l , output is :
>
> sftpuser
On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote:
> On 12/13/2017 7:18 AM, Stephen Smalley wrote:
> > On Wed, 2017-12-13 at 09:25 +, yangjihong wrote:
> > > Hello,
> > >
> > > I am doing stressing testing on 3.10 kernel(centos 7.4), to
> &g
On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> Hi All,
>
> just wanted to know the meaning of line session required
> pam_selinux.so open env_params added in /etc/pam.d/sshd file.
> Actually I am facing one issue related to this. When I changed this
> env_params to restore then my
On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote:
> On 12/14/2017 8:42 AM, Stephen Smalley wrote:
> > On Thu, 2017-12-14 at 08:18 -0800, Casey Schaufler wrote:
> > > On 12/13/2017 7:18 AM, Stephen Smalley wrote:
> > > > On Wed, 2017-12-13 at 09:25 +, yan
On Mon, 2017-12-18 at 17:36 +, Arnold, Paul C CTR USARMY PEO STRI
(US) wrote:
> All,
>
> I am experiencing some issues using range_transition on objects when
> type_transition is also involved on the object. Specifically, a
> range_transition rule on a target object with a "final" type
On Wed, 2017-12-13 at 13:16 +0100, Petr Lautrbach wrote:
> Commit 985753f changed behavior of seobject class constructors. While
> semanage itself was fixed, there are other tools like
> system-config-selinux and chcat which depend on the original
> behavior.
> This change make the constructors
On Fri, 2017-12-15 at 03:09 +, yangjihong wrote:
> On 12/15/2017 10:31 PM, yangjihong wrote:
> > On 12/14/2017 12:42 PM, Casey Schaufler wrote:
> > > On 12/14/2017 9:15 AM, Stephen Smalley wrote:
> > > > On Thu, 2017-12-14 at 09:00 -0800, Casey Schaufler wrote:
&
>
> On Wed, Dec 13, 2017 at 8:54 PM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Tue, 2017-12-12 at 23:47 -0500, Aman Sharma wrote:
> > > Hi All,
> > >
> > > just wanted to know the meaning of line session required
> > > pa
On Wed, 2017-12-13 at 09:25 +, yangjihong wrote:
> Hello,
>
> I am doing stressing testing on 3.10 kernel(centos 7.4), to
> constantly starting numbers of docker ontainers with selinux enabled,
> and after about 2 days, the kernel softlockup panic:
> [] sched_show_task+0xb8/0x120
> []
On Mon, 2017-11-13 at 17:45 +1100, James Morris wrote:
> On Tue, 31 Oct 2017, Stephen Smalley wrote:
>
> > This btw would be a bit cleaner if we dropped the .ns. portion of
> > the
> > name, such that we would have:
> > security.selinux # xattr name in the init name
On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote:
> Paul Moore <p...@paul-moore.com> wrote:
> > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa.go
> > v> wrote:
> > > matching before (as in this patch) or after calling
> > >
On Wed, 2017-11-01 at 17:40 +1100, James Morris wrote:
> On Tue, 31 Oct 2017, Stephen Smalley wrote:
>
> > This btw would be a bit cleaner if we dropped the .ns. portion of
> > the
> > name, such that we would have:
> > security.selinux # xattr name in the init name
On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de>
> wrote:
> > Paul Moore <p...@paul-moore.com> wrote:
> > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa.
>
On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> When SELinux is disabled, semanage without -N fails with a quite
> complicated
> error message when it tries to reload a new policy. Since reload in
> this case
> doesn't make sense, we should probably try to avoid that.
I haven't looked
On Thu, 2017-11-02 at 15:17 +0100, Petr Lautrbach wrote:
> On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote:
> > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> > > When SELinux is disabled, semanage without -N fails with a quite
> > > complicat
e to allow apt_t to directly do anything dpkg_t can do,
2) Any files created by dpkg running under apt will be labeled
according to apt_t's type transition rules rather than dpkg_t's type
transition rules.
This may not matter much with your default policy (I don't know) but it
is generally undesirable.
hostname=10.97.7.209
> addr=10.97.7.209 terminal=ssh res=success'
>
> Please let me know if any comments are there.
Those are normal. Check journalctl and /var/log/secure for any errors
from sshd.
Also try the selinuxdefcon command I mentioned.
>
> On Mon, Dec 4, 2017 at 9:10
On Sun, 2017-12-03 at 20:33 +0900, Tetsuo Handa wrote:
> On 2017/12/02 3:52, syzbot wrote:
> > ==
> > BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328
> > Read of size 1 at addr 8801cd99d2c1 by task
> >
On Sat, 2017-12-02 at 09:29 +0530, Aman Sharma wrote:
> Hi All,
>
> Thanks for the information.
>
> But after resetting the semanage User/login, and moving the targeted
> folder to old one and then install the default target. then also its
> still showing the
> Id context as
at wrong in your /etc/pam.d/sshd
file, so that if someone else encounters this behavior in the future,
they can find a solution in the list archives?
>
> On Mon, Dec 4, 2017 at 9:39 PM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Mon, 2017-12-04 at 21:31 +0530, Aman Sha
On Mon, 2017-12-04 at 21:45 +0530, Aman Sharma wrote:
> Hi Stephen,
>
> sestatus -v
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode:
; I used
it to confirm that we are not getting proper xfrm state selector
matching with the current xdst pcpu cache code and to test a possible fix.
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
tests/inet_socket/ipsec-load | 7 +--
tests/inet_socket/test
ache entry. With these changes,
the selinux-testsuite passes all tests again.
Fixes: ec30d78c14a813db39a647b6a348b4286ba4abf5 ("xfrm: add xdst pcpu cache")
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
This is an RFC because I am not entirely confident in the fix, e.g. i
On Tue, 2017-10-24 at 23:00 +0200, Nicolas Iooss wrote:
> On Tue, Oct 24, 2017 at 10:20 PM, William Roberts
> <bill.c.robe...@gmail.com> wrote:
> > On Oct 24, 2017 13:05, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
> >
> > On Tue, 2017-10-24 at 09:2
On Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote:
> On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote:
> > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.ioos
restarted the job, and it failed again in the same way (but on
different cases). Then I restarted it a third time, and this time it
ran to completion. This seems problematic; we likely need to
reconsider any use of curl from the travis.yml file.
>
>
>
>
> On Tue, Oct 24, 20
On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote:
> On Mon, 30 Oct 2017, Stephen Smalley wrote:
>
> > Thanks, interesting approach. One drawback is that it doesn't
> > presently
> > support any form of inheritance of labels from the parent
> > namespace, so
On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> Stephen Smalley <s...@tycho.nsa.gov> wrote:
> > Since 4.14-rc1, the selinux-testsuite has been encountering
> > sporadic
> > failures during testing of labeled IPSEC. git bisect pointed to
> > commit
On Tue, 2017-10-31 at 09:00 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 14:11 +1100, James Morris wrote:
> > On Mon, 30 Oct 2017, Stephen Smalley wrote:
> >
> > > Thanks, interesting approach. One drawback is that it doesn't
> > > presently
>
On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> > Stephen Smalley <s...@tycho.nsa.gov> wrote:
> > > Since 4.14-rc1, the selinux-testsuite has been encountering
> > > sporadic
> > >
On Mon, 2017-10-30 at 10:57 +, Matthew Garrett via Selinux wrote:
> On Thu, Oct 26, 2017 at 3:20 PM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > On Thu, 2017-10-26 at 01:40 -0700, Matthew Garrett via Selinux
> > wrote:
> > > +static void selinux_cred_g
On Mon, 2017-10-30 at 21:04 +1100, James Morris wrote:
> This is a proof-of-concept patch to demonstrate an approach to
> supporting
> SELinux namespaces for security.selinux xattr labels.
>
> This follows on from the experimental SELinux namespace code posted
> by
> Stephen:
On 05/04/2018 07:51 AM, Petr Lautrbach wrote:
> From: Vit Mojzis
>
> self.store is always a string (actual store name or "") because of
> semanageRecords.__init__. Fix check for not defined store.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3
>
>
On 05/04/2018 04:12 PM, Petr Lautrbach wrote:
> On Fri, May 04, 2018 at 01:58:08PM -0400, Stephen Smalley wrote:
>> On 05/04/2018 07:51 AM, Petr Lautrbach wrote:
>>> From: Vit Mojzis <vmoj...@redhat.com>
>>>
>>> self.store is always a string (actual store
On 05/13/2018 07:43 AM, Nicolas Iooss wrote:
> On Sat, May 12, 2018 at 2:53 PM, Matěj Cepl wrote:
>> Hi,
>>
>> I am changing jobs (Red Hat -> SUSE; R, but not a security
>> related job), and although I will be switching my workstation to
>> OpenSUSE, I would love to keep SELinux
On 05/10/2018 08:55 PM, Casey Schaufler wrote:
> From: Casey Schaufler
> Date: Thu, 10 May 2018 15:54:25 -0700
> Subject: [PATCH 20/23] LSM: Move common usercopy into
> security_getpeersec_stream
>
> The modules implementing hook for getpeersec_stream
> don't need to be
On 05/14/2018 11:12 AM, Stephen Smalley wrote:
> On 05/10/2018 08:55 PM, Casey Schaufler wrote:
>> From: Casey Schaufler <ca...@schaufler-ca.com>
>> Date: Thu, 10 May 2018 15:54:25 -0700
>> Subject: [PATCH 20/23] LSM: Move common usercopy into
>> security_ge
On 05/10/2018 08:53 PM, Casey Schaufler wrote:
> From: Casey Schaufler
> Date: Thu, 10 May 2018 14:23:27 -0700
> Subject: [PATCH 10/23] LSM: Infrastructure management of the inode security
> blob
>
> Move management of the inode->i_security blob out
> of the individual
It's been running fine for me. Maybe you just need to clean your tree and
do a fresh make test.
On Mon, May 14, 2018, 7:37 PM Casey Schaufler
wrote:
> Has anyone had success with the SELinux test suite on Fedora 28?
> I find the chcon and newrole are unhappy with the
On 05/09/2018 11:01 AM, Paul Moore wrote:
> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 05/08/2018 08:25 PM, Paul Moore wrote:
>>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>>>
Fix the test to prevent overflowing the stack buffer for
boolean expressions.
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
libsepol/cil/src/cil_tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
On 05/08/2018 08:25 PM, Paul Moore wrote:
> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On 05/08/2018 01:05 PM, Paul Moore wrote:
>>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
>>> <alexey.koda...@oracle.com> wrote:
On 04/27/2018 10:23 AM, Troels Arvin wrote:
> Hello,
>
> RHEL/CentOS 7.4 was rather disastrous for Tomcat users, because lots of
> things which used to work suddenly broke, due to a new SELinux policy for
> Tomcat. RHEL 7.5 has fixed most of it, because a number of commits allowed
> Tomcat to
and git shortlog output since the 2.7
release. If there are further items we should mention or if something
should be amended in the release notes, let us know.
Thanks to all the contributors to this release candidate!
A shortlog of changes since the 2.8-rc2 release candidate is below.
Stephen
On 05/04/2018 07:51 AM, Petr Lautrbach wrote:
> From: Vit Mojzis
>
> self.store is always a string (actual store name or "") because of
> semanageRecords.__init__. Fix check for not defined store.
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3
>
>
On 05/03/2018 02:48 PM, Stephen Smalley wrote:
> I encountered a number of build warnings on the selinux userspace
> using gcc 8, which is the default now in F28 and rawhide. This fixes
> the ones that are treated as fatal errors by default. There are still
> known warnings due
().
Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
libsemanage/src/semanage_store.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index bce648c4..f1984c50 100644
--- a/libsemana
On 05/08/2018 01:05 PM, Paul Moore wrote:
> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
> wrote:
>> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility
>> with the old programs that can pass sockaddr_in with AF_UNSPEC and
>> INADDR_ANY to bind().
On 05/04/2018 09:26 AM, Dominick Grift wrote:
> On Fri, May 04, 2018 at 09:08:36AM -0400, Stephen Smalley wrote:
>> On 05/04/2018 03:55 AM, Jason Zaman wrote:
>>> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
>>>> Hi,
>>>>
>>&g
On 05/04/2018 03:55 AM, Jason Zaman wrote:
> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
>> Hi,
>>
>> If you have encountered any unreported problems with the 2.8-rcX releases or
>> have any
>> pending patches you believe should be included in
On 05/04/2018 08:19 AM, Dominick Grift wrote:
> On Thu, May 03, 2018 at 10:52:24AM -0400, Stephen Smalley wrote:
>> Hi,
>>
>> If you have encountered any unreported problems with the 2.8-rcX releases or
>> have any
>> pending patches you believe should be in
On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.
>
> Signed-off-by: Richard Haines
> ---
> README.md | 8 +
>
On 05/15/2018 08:28 AM, Stephen Smalley wrote:
> On 05/14/2018 08:10 PM, Casey Schaufler wrote:
>> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>>> It's been running fine for me. Maybe you just need to clean your tree and
>>> do a fresh make test.
>>
>> Did
On 05/15/2018 09:36 AM, Stephen Smalley wrote:
> On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote:
>> Add binder tests. See tests/binder/test_binder.c for details on
>> message flows to test security_binder*() functions.
>>
>> Signed-off-by: Richard Haines <r
On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote:
> Not sure how useful this is but saw [1] and thought I'll have a go out
> of idle curiosity.
I haven't looked at the code yet but I'm in favor of adding it - this should
help prevent regressions in the binder SELinux checks in upstream
On 05/14/2018 05:31 PM, Casey Schaufler wrote:
> On 5/14/2018 1:07 PM, Stephen Smalley wrote:
>> On 05/14/2018 03:52 PM, Stephen Smalley wrote:
>>> On 05/10/2018 08:30 PM, Casey Schaufler wrote:
>>>> Subject: [PATCH 00/23] LSM: Full security module stacking
>&g
On 05/14/2018 08:10 PM, Casey Schaufler wrote:
> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>> It's been running fine for me. Maybe you just need to clean your tree and do
>> a fresh make test.
>
> Did that first thing.
>
> Digging down, I find that the "
On 05/16/2018 03:31 AM, Petr Lautrbach wrote:
> On Tue, May 15, 2018 at 05:03:42PM -0400, Paul Moore wrote:
>> From: Paul Moore
>>
>> If expand-check is non-zero in semanage.conf the policy load will likely
>> fail,
>> try to provide a more helpful error to users running the
On 05/15/2018 01:34 PM, Richard Haines wrote:
> On Tue, 2018-05-15 at 12:56 -0400, Stephen Smalley wrote:
>> On 05/15/2018 12:38 PM, Stephen Smalley wrote:
>>> On 05/15/2018 09:43 AM, Stephen Smalley wrote:
>>>> On 05/15/2018 09:36 AM, Stephen Smalley wrote:
>
On 05/15/2018 09:43 AM, Stephen Smalley wrote:
> On 05/15/2018 09:36 AM, Stephen Smalley wrote:
>> This test is failing for me (with or without -v):
>> # ./test -v
>> 1..6
>> Manager PID: 5608 Process context:
>> unconfined_u:unconfined_r:test_binder_mgr_t:s
On 05/15/2018 12:38 PM, Stephen Smalley wrote:
> On 05/15/2018 09:43 AM, Stephen Smalley wrote:
>> On 05/15/2018 09:36 AM, Stephen Smalley wrote:
>>> This test is failing for me (with or without -v):
>>> # ./test -v
>>> 1..6
&
On 05/12/2018 08:43 AM, Alan Jenkins wrote:
> Fix the following ambiguous output (from booting with init=/bin/sh):
>
> # /usr/sbin/fixfiles onboot
> /usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system
> /usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system
On 05/21/2018 01:02 PM, Stephen Smalley wrote:
> On 05/21/2018 12:33 PM, Richard Haines wrote:
>> Add binder tests. See tests/binder/test_binder.c for details on
>> message flows to test security_binder*() functions.
>
> Breaks the build on RHEL7 since /usr/include/linux/
On 05/20/2018 02:25 PM, Richard Haines wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.
Every test fails for me with:
create_shm shm_open: Permission denied
create_shm shm_open: No such file or directory
and denials of
On 05/21/2018 12:33 PM, Richard Haines wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.
Breaks the build on RHEL7 since /usr/include/linux/android/binder.h does not
exist and is not
provided by any package. On F28
On 05/20/2018 02:25 PM, Richard Haines wrote:
> Add binder tests. See tests/binder/test_binder.c for details on
> message flows to test security_binder*() functions.
Also, it breaks the policy build on RHEL/CentOS 7, due to map permission not
being defined.
You need to use the allow_map() macro
d properly skipped on earlier Fedora/RHEL.
Acked-by: Stephen Smalley <s...@tycho.nsa.gov>
> ---
> README.md | 8 +
> defconfig | 7 +
> policy/Makefile | 4 +
> policy/test_binder.te | 120 +++
> tests/Makefile
On 05/22/2018 09:53 AM, Stephen Smalley wrote:
> On 05/22/2018 09:11 AM, Stephen Smalley wrote:
>> On 05/22/2018 09:01 AM, Stephen Smalley wrote:
>>> On 05/22/2018 07:37 AM, Richard Haines wrote:
>>>> Could you try this version where I've packed the transaction st
On 05/22/2018 09:01 AM, Stephen Smalley wrote:
> On 05/22/2018 07:37 AM, Richard Haines wrote:
>> Could you try this version where I've packed the transaction structures.
>> I could not get the tests to fail on my two systems (but then V3 didn't).
>
> Hmmm...I saw one
On 05/22/2018 09:11 AM, Stephen Smalley wrote:
> On 05/22/2018 09:01 AM, Stephen Smalley wrote:
>> On 05/22/2018 07:37 AM, Richard Haines wrote:
>>> Could you try this version where I've packed the transaction structures.
>>> I could not get the tests to fail on my two
On 05/22/2018 07:37 AM, Richard Haines wrote:
> Could you try this version where I've packed the transaction structures.
> I could not get the tests to fail on my two systems (but then V3 didn't).
Hmmm...I saw one instance of a failure in test 6 when running ./test by
hand but am now having
On 05/25/2018 04:08 AM, bhawna goel wrote:
> Hi Team,
>
> We are facing an issue with load_policy command on Centos 7.4.. Need to
> understand what it exactly does.
>
> We have Centos 7.4 machine which have two partitions .
> Ist partition (partA) have all the policies with unconfined and when
On 05/24/2018 01:48 AM, shagun maheshwari wrote:
> Hi,
>
> We have done changes in our Centos7.4 to disable the unconfined user from our
> code. We have created an iso in which we have replaced unconfined with sysadm
> and we are performing an upgrade using the new iso.
> After upgrade current
The 20180524 / 2.8 release for the SELinux userspace is now available at:
https://github.com/SELinuxProject/selinux/wiki/Releases
A github release has also been created at:
https://github.com/SELinuxProject/selinux/releases/tag/20180524
In the future, we will likely stop hosting the releases on
On 05/24/2018 02:12 AM, Sachin Grover wrote:
> Hi,
>
> Kernel panic is coming on calling lgetxattr() sys api with random user space
> value.
>
> [ 25.833951] Call trace:
> [ 25.833954] [] dump_backtrace+0x0/0x2a8
> [ 25.833957] [] show_stack+0x20/0x28
> [ 25.833959] []
On 05/18/2018 01:03 AM, Jason Zaman wrote:
> On Thu, May 17, 2018 at 09:22:01PM +0200, Nicolas Iooss wrote:
>> On Thu, May 17, 2018 at 7:11 AM, Jason Zaman wrote:
>>> This series fixes compiling and running on musl libc.
>>>
>>> patches 1-2 are fairly trivial.
>>>
>>> patches
e we
can make a final 2.8 release anytime.
If anyone objects, speak up now.
>
> On Thu, May 10, 2018 at 11:20:01AM -0400, Stephen Smalley wrote:
>> A 2.8-rc3 release candidate for the SELinux userspace is now available at:
>> https://github.com/SELinuxProject/selinux/wiki/Releases
On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> Hello,
>
> libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> enabled. But it doesn't work correctly when you use chroot() to a directory
>
On 06/18/2018 03:44 PM, Mike Hughes wrote:
> We use Yubikey for two-factor ssh authentication which requires enabling a
> Boolean called “authlogin_yubikey”. It has been working fine until a few
> weeks ago. Errors appear when attempting to set the policy:
>
>
>
> --
>
>
On 06/09/2018 04:08 PM, Nicolas Iooss wrote:
> Using clang's static analyzer is as simple as running "scan-build make",
> but in order to obtain clean and reproducible results, the build
> environment has to be cleaned beforehand ("make clean distclean").
>
> Moreover the project requires running
On 06/09/2018 03:30 PM, Nicolas Iooss wrote:
> Signed-off-by: Nicolas Iooss
Thanks, applied all three.
> ---
> libsepol/cil/src/cil_resolve_ast.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_resolve_ast.c
> b/libsepol/cil/src/cil_resolve_ast.c
On 05/29/2018 02:28 PM, Stephen Smalley wrote:
> On 05/29/2018 11:19 AM, Laurent Bigonville wrote:
>> Hello,
>>
>> While packaging policycoreutils 2.8 I've seen that the fixfiles and
>> load_policy executables were moved from /sbin to /usr/sbin
>>
>> Any
On 05/29/2018 11:19 AM, Laurent Bigonville wrote:
> Hello,
>
> While packaging policycoreutils 2.8 I've seen that the fixfiles and
> load_policy executables were moved from /sbin to /usr/sbin
>
> Any reasons for this? This seems to me like an involuntary side effect of the
> cleanup for
On 05/30/2018 11:19 AM, Paul Moore wrote:
> On Fri, May 25, 2018 at 4:31 AM, Sachin Grover wrote:
>> Call trace:
>> [] dump_backtrace+0x0/0x428
>> [] show_stack+0x28/0x38
>> [] dump_stack+0xd4/0x124
>> [] print_address_description+0x68/0x258
>> [] kasan_report.part.2+0x228/0x2f0
>> []
On 05/30/2018 10:10 AM, Peter Enderborg wrote:
> Holding the preempt_disable is very bad for low latency tasks
> such as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a RCU instead of rwlock we
> have an efficient locking and less preemption
On 05/31/2018 05:04 AM, peter enderborg wrote:
> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>> On 05/30/2018 10:10 AM, Peter Enderborg wrote:
>>> The boolean change becomes a lot more heavy with this patch,
>>> but it is a very rare usage in compare with read only op
On 05/29/2018 07:39 AM, bhawna goel wrote:
> Hi Team,
>
> We are getting below error while creating policies using command
> audit2allow.orig. Can you help in identifying what could be the possible
> reason of such error.
>
> Error:
> libsepol.context_from_record: invalid security context:
>
On 05/31/2018 10:21 AM, Stephen Smalley wrote:
> On 05/31/2018 10:12 AM, peter enderborg wrote:
>> On 05/31/2018 02:42 PM, Stephen Smalley wrote:
>>> On 05/31/2018 05:04 AM, peter enderborg wrote:
>>>> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>>>>
On 06/01/2018 09:03 AM, Russell Coker via Selinux wrote:
> The command "reboot -nffd" (kernel reboot without flushing kernel buffers or
> writing status) when run on a BTRFS system will often result in
> /var/log/audit/audit.log being unlabeled. It also results in some
> systemd-journald files
On 06/03/2018 12:25 PM, Nicolas Iooss wrote:
> pp's main() never set outfd to anything else than -1 so there is no
> point in closing it.
Thanks, applied all four patches.
>
> Signed-off-by: Nicolas Iooss
> ---
> policycoreutils/hll/pp/pp.c | 7 ---
> 1 file changed, 7 deletions(-)
>
>
On 05/31/2018 10:12 AM, peter enderborg wrote:
> On 05/31/2018 02:42 PM, Stephen Smalley wrote:
>> On 05/31/2018 05:04 AM, peter enderborg wrote:
>>> On 05/30/2018 10:34 PM, Stephen Smalley wrote:
>>>> On 05/30/2018 10:10 AM, Peter Enderborg wrote:
>>>>>
On 06/18/2018 01:22 PM, Vit Mojzis wrote:
> semanage_seuser_modify_local and semanage_seuser_del_local already do
> the logging.
> Moreover, semanage log for loginRecords.__add was flawed since it
> reported old-{seuser,role,range} of default user instead of None. This
> was caused by
;
> Cc: sta...@vger.kernel.org
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Jann Horn
Only question I have is wrt the Fixes line, i.e. was this an issue until
userfaultfd was introduced, and if not,
do we need it to be back-ported any further than the commit which i
On 06/26/2018 08:42 AM, Jann Horn wrote:
> On Tue, Jun 26, 2018 at 2:15 PM Stephen Smalley wrote:
>>
>> On 06/25/2018 12:34 PM, Jann Horn wrote:
>>> If a user is accessing a file in selinuxfs with a pointer to a userspace
>>> buffer that is backed by e.g. a user
901 - 1000 of 1195 matches
Mail list logo